-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On 22/02/17 15:43, Andrew Wiles [aew] wrote:
> Hi Robert,
>
> Is it reasonable to assume that if a SP is capable of using a
> SAML2 NameID, they will before looking for EPTID, and if not
> they're probably still SAML1 only anyway?
Sorry for not seeing this before this week! I think this depends a lot
on the details of how the SP in question is configured. I think the
Shibboleth SP would give you a multivalued REMOTE_USER and persistent-id
if hte two were different, but I could be wrong.
> I'm implementing our upgrade with the approach of: Keeping storedID
> generated values for SAML1, using the new Bean method to do
> Computed NameIDs for SAML2, using the same salt, the same results
> are produced.
>
The IdP doesn't separate persistent ID generation out by SAML protocol,
so you'd need to use the storedID source for both. If you give the
storedID bean the correct salt, it should calculate the same persistent
IDs as the computed ID source would.
> (Our reasons for using storedIDs are probably unique to us, we
> were using Computed IDs with Shib 1.3 with a complex JKS stored
> salt. This didn't sit well with Shib2 so we created a local patch
> to allow for base64 encoded salts to be used with a storedID with
> the view of dumping them all in a SQLite database and retiring the
> patch and using a new salt after $REASONABLE_NUM years.)
>
I suspect this is actually quite common amongst older Shibboleth users.
It's possible to configure a binary salt in saml-nameid.xml one byte at
a time using Spring syntax:
<bean id="shibboleth.ComputedPersistentIdGenerator" lazy-init="true"
class="net.shibboleth.idp.saml.nameid.impl.ComputedPersistentIdGeneratio
nStrategy">
<property name="salt">
<list>
<!-- List of byte values -->
<value>#{ 0x00.byteValue() }</value>
<value>#{ 0x01.byteValue() }</value>
<value>#{ 0x02.byteValue() }</value>
<!-- etc. -->
</list>
</property>
<property name="algorithm" value="%{idp.persistentId.algorithm:SHA}" />
</bean>
You need to patch the IdP software though to get things working with
eduPersonTargetedID.
- --
Dr Robert Bradley
Identity and Access Management Team, IT Services, University of Oxford
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJYtwKZAAoJEJRhp8p2r+O+C8IP/002UVeDWa/JgWLczhVgcSV7
pJTm5GgXectvt5hgzK6ZubxKLbKUzLDRI1YeueKQAn34msVKjThUemQoJySVh15g
8Zd6pqyMIPe+zJee6xDnALWymPtb6rGoyaa37JENO+o2jQzVN3vhvu/50VF7rp8u
cs33yVobiq0PMDPkcV15shvRh+QMNt5cgVXByP8Gd5MSRGL24Z/sR3mL12mKgM0g
DJo8TWg7IWX9IvkUqzbU6NXg/c8tE0OAA6Lp7PKCLwWwTI4R3QdUFieerw/b00KD
OGpMXnTcIv7kS+GpPG3Qruk4o/KLc7PtaHD1E7cRkLpQ7L7SKW+/95rLwpHbKZCd
YQySjG9Tw77yDbf06R/Td8hvtY7t6QtX0c+TdpXjIw4YanWTthdbgodR+f+sXZyX
2eNhLgTPddiV/75BLB29CwwpfYAWb6MSEUaNHjo1+on0F9pA1UyXfulOwqiQiijD
HPIsFDYo/fUKgKIeOi9v+G51kZiVlOKUx3SOA5VRKxncfXeO2klppMBpXuSXUVeY
AVw023adqd1MKq3loZ9mY9m/ysZV29sQXTN6lEeyM0/AI0pnCCttjnOgwv5FNAvn
hfqwnOMeaDsDahN4gUs9I7x05RASAnzhtt9VM4NH6zg0Ql6tYPApa+4vLXiVr0cm
siYMl/nhJ+Y4qTn2QV0b
=gvyL
-----END PGP SIGNATURE-----
|